Was Stuxnet Worm Built to Attack Iran's Nuclear Program?

[mouser]

Fascinating stuff..

A highly sophisticated computer worm [Stuxnet] that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor....
Experts had first thought that Stuxnet was written to steal industrial secrets -- factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings -- a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device -- and then it injects its own code into that system. Because of the complexity of the attack, the target "must be of extremely high value to the attacker," Langner wrote in his analysis.

http://www.pcworld.c...nuclear_program.html

from http://slashdot.org/

[Deozaan]

Really interesting prospect.

[f0dder]

Yay for having SCADA stuff available over the internet - f'ing brilliant idea >_<

[Deozaan]

It wouldn't necessarily have to be directly connected to the internet to get infected.

Someone could bring in a USB drive that was infected and connect it to a PC on the intranet which infects it.

I'm making this up as I go along so I'm probably wrong but it makes sense to me. 

[f0dder]

True, Deo - but that's also pretty bad - (critical) SCADA systems really shouldn't be accessible from the outside by any means... they should have "air firewalling"

Btw, this is a worm, so either the systems *are* directly accessible from the 'net, or it uses other exploits to get into LANs and then start looking.

[nosh]

By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too.

Wonder how many countries currently have some of their nukes pointing to... themselves.

[ppass]

Excellent webinar last week on the subject:

http://www.norman.co...ebcasts/101374/en-uk

[mouser]

update in NY times today:

http://www.nytimes.c.../16stuxnet.html?_r=1

"In interviews over the past three months in the United States and Europe, experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009. "

"The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart."

from slashdot post here: http://tech.slashdot...srael-Behind-Stuxnet

[mouser]

Very interesting new article out today:

The key to unraveling the mystery of Stuxnet is understanding the meaning of a seemingly purposeless act by the attackers behind the malware. Stuxnet was first reported on June 17, 2010 by VirusBlokAda, an anti-virus company in Belarus. On June 24, VirusBlokAda noticed that two of the Stuxnet components, Windows drivers named MrxCls.sys and MrxNet.sys, were signed using the digital signature from a certificate issued to Realtek Semiconductor. VirusBlokAda immediately notified Realtek and on July 16, VeriSign revoked the Realtek certificate. The very next day, a new Stuxnet driver named jmidebs.sys appeared, but this one was signed with a certificate from JMicron Technology. This new Stuxnet driver had been compiled on July 14. On July 22, five days after the new driver was first reported, VeriSign revoked the JMicron certificate.

The question I want to explore is why the attackers rolled out a new version of their driver signed with the second certificate. This is a key question because this is the one action that we know the attackers took deliberately after the malware became public. It’s an action that they took at a time when there was a lot of information asymmetry in their favor. They knew exactly what they were up to and the rest of us had no clue.

http://emptywheel.fi...-second-certificate/

[mouser]

New excellent long article on stuxnet:
http://www.wired.com...phered-stuxnet/all/1
"How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History"

[tomos]

New long article on stuxnet:
http://www.wired.com...phered-stuxnet/all/1
"How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History"

-mouser (July 16, 2011, 09:35 PM)

great article
-
I have a rebooting computer and one diagnostic tool said it had 'probably' dectected a virus in memory.
Maybe this was my problem all along...